US20200244624A1 - Method for Filtering Communication Data Arriving Via a Communication Connection, in a Data Processing Device, Data Processing Device and Motor Vehicle - Google Patents
Method for Filtering Communication Data Arriving Via a Communication Connection, in a Data Processing Device, Data Processing Device and Motor Vehicle Download PDFInfo
- Publication number
- US20200244624A1 US20200244624A1 US16/632,611 US201816632611A US2020244624A1 US 20200244624 A1 US20200244624 A1 US 20200244624A1 US 201816632611 A US201816632611 A US 201816632611A US 2020244624 A1 US2020244624 A1 US 2020244624A1
- Authority
- US
- United States
- Prior art keywords
- data processing
- communications
- processing device
- data
- filter means
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/40—Bus structure
- G06F13/4004—Coupling between buses
- G06F13/4027—Coupling between buses using bus bridges
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
- G06F13/4282—Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2213/00—Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F2213/0026—PCI express
Definitions
- the present disclosure relates to a method for filtering communications data, arriving from a communications partner via a communications connection that allows access to at least one storage means of a receiving data processing device, in the data processing device, a data processing device, and a motor vehicle.
- interpose bridging means which can be designed for example as a multiplexer, switch, or the like.
- Bridging means of this kind can be “transparent” or “non-transparent,” and, therefore, act directly as a communications partner or allow a data processing device that can be reached via the bridging means to appear as a direct communications partner.
- a plurality of different architectures are possible and known.
- the communications partners conventionally obtain direct access to storage means and arithmetic units of the data processing devices communicating therewith.
- overall apparatuses or the data processing systems thereof comprise security-critical parts which are intended to communicate with less safety-critical regions.
- driving and/or security system-related controllers as data processing devices, in particular also with respect to autonomous driving, to be rather security-critical data processing devices and which should therefore be associated with a security region, but which nonetheless are intended to communicate with data processing devices, in particular further controllers, assessed as less security-critical.
- providing a bidirectional connection that allows access to storage means and/or arithmetic units in the security-critical data processing device would allow data processing devices classed as less security-critical, as communications partners, to carry out manipulations within the security-critical data processing device, for example, if the less security-critical communications partner has been hacked or replaced and/or the communications data were manipulated during transmission via the communications connection.
- DE 10 2012 017 339 A1 relates to a computer system comprising at least two CPUs which each comprise a PCIe bus hierarchy, by means of which messages, which each comprise an origin address, a destination address, and a payload, can be transmitted between connected communications devices.
- the PCIe bus hierarchies are connected by a bridging means, such that messages can be exchanged between communications devices that are connected to different PCIe bus hierarchies, the computer system comprising at least one peripheral device having a communications device which can be used jointly by the CPUs, the bridging means comprising a translation means, which is designed for translating the destination address of messages that are transmitted from one PCIe bus hierarchy to another.
- observation devices for monitoring the messages transmitted by the bridging means, between the bridging means and the PCIe hierarchies.
- observation devices for monitoring the messages transmitted by the bridging means, between the bridging means and the PCIe hierarchies.
- destination addresses and origin addresses can be evaluated, in order to reject messages if necessary.
- observation devices are provided there at central positions in the data processing systems, which devices are to be configured as a whole.
- This solution is complex and inflexible, in particular if the observation devices are also subject to configuration access of less security-critical data processing devices.
- FIG. 1 shows a data processing device, in accordance with some embodiments.
- FIG. 2 shows an operating sequence of a method, in accordance with some embodiments.
- FIG. 3 shows a definition of security levels, in accordance with some embodiments.
- FIG. 4 shows a schematic sketch of a motor vehicle, in accordance with some embodiments.
- the object of the present disclosure is therefore that of specifying a possibility for improved, more flexible, and more independent protection of data processing devices within a data processing system of an overall apparatus, in particular of a motor vehicle.
- a method includes receiving, at an interface unit of the data processing device, the communications data, using a filter means that is implemented as hardware at least in part, in accordance with configuration information that is specified on the side of the data processing device.
- the filter means contains at least one authorization condition that assesses at least one property of the payload contained in the communications data, and forwards only communications data that fulfill the at least one authorization condition from the interface unit to at least one further component of the data processing device.
- the present disclosure is therefore based on the concept of implementing a hardware-based firewall, in the form of a filter means, on the side of the receiving data processing device.
- the filter means is assessed as security-critical, or the data processing device located in a security region, in which firewall is implemented by an interface unit, for example, a PCIe controlling chip.
- the payload can comprise control commands acting on the at least one storage means, the filter means being applied at least to the control signals.
- the procedure described here can also be applied to other payloads in the communications data, since it can also be the case that other payloads can cause damage in the memory of a data processing device and/or in an arithmetic unit of a data processing device.
- the filter means can reduce the amount of the available payload, in particular control signals which are actually forwarded to the relevant components, i.e., in particular the storage means and/or arithmetic unit, to the amount that is necessary and ensures security. In this way, the attack surface is minimized by the communications connection, without having to omit a fully functional feedback channel.
- the filter means is configured by the data processing device itself using a separate configuration channel within the data processing device, in particular proceeding from the arithmetic unit, and/or an existing configuration interface of the interface unit. Accordingly, the data processing device in a data processing system has control over the incoming messages and messages to be filtered out, via the communications connection.
- the present disclosure protects against incoming attacks and provides maximum autonomy to the data processing device as a subsystem instead of opening up access to an observation device centrally manipulating throughout data processing system.
- the data processing device can use its own firewall in the form of the filter means. There is no master device that could change the firewall configuration information, since only the data processing device itself can change the configuration. Furthermore, each data processing device can react to incoming attaches and reduce, or even entirely close, the communications connection by means of corresponding reconfiguration of the filter means.
- the filter means can assess the content of the communications data, i.e., the payload. While the approaches known in the prior art can be referred to as “stateless packet inspection,” the present disclosure can be referred to as “stateful packet inspection.” Therefore, the content, in addition to the origin, the destination, and the communications path that the communications data have taken, is assessed. Accordingly, to directly access the payload, authorization criterion can access corresponding properties of the communications data contained in the header of packet-based communication. Therefore, forming the filter means in hardware at least in part, i.e., in particular integration in a chip that forms the interface unit, further restricts the possibilities of manipulation.
- filtering the communications traffic within the data processing device itself, but outside of the arithmetic unit and the storage means allows for strict separation in distributed systems of data processing devices.
- the filter means in the interface unit i.e., in particular in an external chip, furthermore makes it possible to use more simple residual components, in particular arithmetic units, for example, CPUs, in security-critical data processing devices, which use the communications standard of the communications connection. Outsourcing the filter means in the interface unit thus reduces the complexity of the data processing device itself.
- the mechanism according to embodiments as described herein can also be used in multiplexed/demultiplexed communications connections. In particular, a bridging means that is used does not need to have any information about the filter processes.
- a communications connection according to the PCI Express (PCIe) communications standard is used.
- PCIe communications connection in principle represents a packet-based point-to-point connection, which as described at the outset, can also be used for a plurality of communications partners, by way of bridging means.
- the filter means may be applied in a communications layer acting in accordance with a communications standard used in the communications connection for the physical transport of formatted communications data, in particular a transaction layer in PCI Express.
- a communications standard used in the communications connection for the physical transport of formatted communications data
- the filtering can purposely be located as close as possible to the physical reception of the communications data, in order to minimize the influence thereof on the data processing device, in particular the storage means and/or the arithmetic unit.
- the data are still in the transmission format defined by the communications standard, here in particular PCI Express. If content, in particular payload, is intended to be accessed directly by means of at least one authorization condition, and the payload is encrypted, a filter means of this kind would be provided directly following suitable decryption means.
- a filter means implemented as part of a microchip that forms the interface unit is used as the filter means.
- the filter means can thus be implemented in concrete terms by means of hardware, by modifying a corresponding interface unit microchip, and therefore be firmly integrated in the processing sequence, in terms of the hardware. This can in particular be a PCIe chip.
- the filter means can preferably be configured exclusively by the data processing device itself, in particular exclusively, by the arithmetic unit.
- the arithmetic unit for example, a CPU, thus preferably has exclusive configuration access to the filter means, which ensures the greatest possible autonomy and flexibility of the data processing device itself, according to which it is also possible, for example, to respond to attacks by means of the authorization conditions being made stricter or the communications connection being entirely deactivated.
- At least one of the authorization conditions assessing at least one payload may check a minimum length and/or maximum length of a payload unit, a control command, a restriction of the function type of a control command described by the payload, and/or a restriction of the accessible memory region of the at least one storage means. Therefore, a restriction of the admissible payload in the communications data can be defined, initially for example by the length of a payload unit, which is intended to be written into a memory region of the storage means for example. It is thus possible to assume, for example, that the smaller a payload unit, for example, a control command, is, the less damage a malicious payload unit can do in the data processing device.
- an authorization condition excludes certain function types/function classes. This in turn excludes certain types of access, in particular to storage means, in the data processing device, for example write access, manipulation access and the like.
- the memory region in which the payload of the communications data may be stored can be restricted. Due to the corresponding structure thereof, payloads/control commands frequently aim at the use of certain memory regions of storage means of the data processing device, which regions may be particularly relevant for the security-critical functionality of the data processing device, as a result of which such particularly security-critical regions can be excluded for example by an authorization condition.
- authorization conditions for all these criteria can be used, for example, for workaround solutions such as fragmentation of overall commands in the case of size restrictions and the like to be avoided.
- further authorization conditions can be used, by means of which conditions a communication attribute describing the communications connection and/or the communications partner is evaluated.
- a communication attribute describing the communications connection and/or the communications partner is evaluated.
- the filter means can provide restrictions.
- the configuration information may describe a security level having associated authorization conditions and/or parameters of the authorization conditions. Therefore, specific predetermined configuration information can be used for different security levels, with the result that the corresponding security level can be adjusted to the filter means within the data processing device in a particularly simple manner, by means of configuration access.
- 16 security levels can be provided, which can thus be described, for example, by 2 bytes which relax restrictions for the communications data in a stepwise manner.
- the procedure according to various embodiments as described herein can be used in a data processing system of a motor vehicle.
- the data processing device forms a part of a motor vehicle, in particular a controller, and communicates with the at least one communications partner which is part of a data processing system of the motor vehicle.
- modern motor vehicles are a specific example for complex data processing systems in which a wide variety of security levels or security regions can be defined, for example as more security-critical controllers (vehicle guidance, in particular fully automated vehicle guidance, security systems and the like), and less security-critical controllers (infotainment, etc.).
- a mechanism allows for high-speed communication, for example, via PCI Express, comprising a feedback channel, but which nonetheless prevents, as far as possible, possibilities of manipulation from less security-critical controllers.
- a data processing device in particular, a controller for a motor vehicle is disclosed.
- the data processing device comprises an interface element having a filter means, at least one storage means, and an arithmetic unit, and is designed to carry out the method according to the embodiments as described herein.
- a motor vehicle comprising a data processing device according to embodiments as described in this disclosure is disclosed. All the disclosure with regard to the method according to various embodiments as described herein can be transferred analogously to the data processing device and the motor vehicle as described herein.
- FIG. 1 shows a data processing device, in accordance with some embodiments.
- FIG. 1 shows a schematic sketch of a data processing device 1 that comprises at least one arithmetic unit 2 and at least one storage means 3 .
- the data processing device 1 may further comprise at least one of the at least one storage means 3 to be implemented within the arithmetic unit 2 , which can also be designed as a CPU for example.
- the data processing device 1 can be a controller of a motor vehicle.
- communications connections are formed proceeding from the data processing device 1 .
- At least one communications connection 4 to a communications partner 5 that is only indicated here uses the PCI Express communications standard (PCIe communications standard) for high-speed data transmission.
- PCIe communications standard PCI Express communications standard
- one interface unit 6 of the data processing device 1 is designed as a PCIe microchip.
- filter means 7 which, owing to configuration information, checks incoming communications data against various authorization conditions, is integrated, in terms of hardware, into said interface unit 6 , i.e., provided in a manner fixed in the corresponding microchip, the payload contained in the communications data also actually being forwarded to the further components of the data processing device 1 , in this case the arithmetic unit 2 and the storage means 3 , only if all the authorization conditions are fulfilled. Accordingly, at least one of the authorization conditions evaluates a property of the payload contained in the communications data, it being possible for further authorization conditions to also relate to the communications partner 5 and/or to the communications connection 4 itself.
- the communications partner 5 can furthermore be both what is known as an end point and an interposed switching means, for example, a bridging means, a switch and/or a multiplexer/demultiplexer.
- the filter means 7 can be configured only from within the data processing device 1 , for example, by the arithmetic unit 2 .
- a corresponding separate configuration channel can be provided for this purpose, but it is also possible to use a communications interface of the interface unit 6 that is used in any case for configuration purposes.
- the configuration access is indicated by the arrow 8 in FIG. 1 .
- FIG. 2 shows an operating sequence of a method, in accordance with some embodiments.
- FIG. 2 explains in more detail the operating sequence of an embodiment of the method as can be implemented in the data processing device 1 .
- communications data comprising a payload and a header are received, in the present case as data packets.
- the communications data After passing through the physical layer and the datalink layer, the communications data reach the transaction layer, where the data packets (transaction layer packets—TLP) encounter the filter means 7 .
- the corresponding filtering i.e., checking all the authorization conditions for each incoming data packet, takes place in step S 2 .
- step S 3 If it is found, in the process, that at least one of the authorization conditions is not fulfilled, the data packet is rejected in step S 3 , and the method returns to step S 1 again for the next data packet. However, if all authorization conditions are fulfilled, in a step S 4 the communications data are processed further, as usual, in the interface unit 6 , and forwarded to the further components 2 , 3 of the data processing device 1 .
- step S 5 it is possible to constantly monitor, within the arithmetic unit 2 , whether an attack is present or can be detected.
- Reconfiguration (arrow 8 ) of the filter means 7 can take place in a step S 6 , for example the authorization conditions can be made stricter or the communications connection 4 can be entirely deactivated.
- specific security levels having associated configuration information which describes the authorization conditions, are defined as shown in greater detail in table 9 of FIG. 3 .
- each line corresponds to a security level L 1 , L 2 , etc.
- P 1 -P 10 are parameters of authorization conditions.
- P 1 and P 2 describe the admissible serial numbers of communications connections
- P 3 and P 4 describe admissible serial numbers of communications partners.
- P 5 -P 10 relate to contents-related authorization conditions.
- P 5 and P 6 describe the range of admissible function types (function classes), P 7 and P 8 admissible memory regions of the at least one storage means 3 in which data may be written, and P 9 and P 10 the minimum length and maximum length of payload units.
- payload units can correspond to control commands, but other payloads can also be processed by the filter means 7 .
- security level L 1 may not be associated with any restrictions in the communication, while security level L 16 allows only signals on the first communications connection for the communications partner no. 16 and the first function class.
- the target memory region and the amount of data are likewise clearly defined and restricted.
- a suitable security level L 1 , L 2 , etc. can, as described, also be selected dynamically by means of the arithmetic unit 2 .
- FIG. 4 shows a schematic sketch of a motor vehicle, in accordance with some embodiments.
- FIG. 4 shows a schematic sketch of a motor vehicle 10 that comprises a data processing system 11 which comprises a plurality of data processing devices 1 A, 1 B and 1 C according to the embodiments as described herein. Only three data processing devices are shown for reasons of simple illustration.
- Communications connections 4 ab , 4 ac , 4 bc exist in each case between the data processing devices 1 a , 1 b and 1 c , which communications connections are operated in accordance with the PCI Express communications standard.
- Filter means 7 operated according to the invention are provided within the data processing devices 1 a , 1 b and 1 c in each case, such that each data processing device 1 a , 1 b and 1 c can ensure its own security in an autonomous manner and at an increased level of reliability, i.e., in particular irrespective of impairments of other parts of the data processing systems 11 .
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- The present disclosure relates to a method for filtering communications data, arriving from a communications partner via a communications connection that allows access to at least one storage means of a receiving data processing device, in the data processing device, a data processing device, and a motor vehicle.
- Today, modern data processing systems, as part of overall apparatuses, for example motor vehicles, are becoming increasingly complex owing to the increasing demands on the performance capability of said data processing systems, as well as the technological possibilities for optimizing said data processing systems. In this case, technologies which are also used for conventional personal computers are increasingly used, even in other overall apparatuses, for example motor vehicles. Technologies of this kind also comprise in particular packet-based point-to-point communications standards, in particular the PCI Express communications standard (PCIe communications standard), which is typically used in order, for example, to connect peripheral devices to a chipset in a personal computer. PCI Express is one of the fastest available communications methods. Typical applications for PCI Express are applications in which large volumes of data have to be processed and/or transmitted in extremely short periods of time. In order to establish connections for example between one chipset and a plurality of peripheral devices, it is known to interpose bridging means, which can be designed for example as a multiplexer, switch, or the like. Bridging means of this kind can be “transparent” or “non-transparent,” and, therefore, act directly as a communications partner or allow a data processing device that can be reached via the bridging means to appear as a direct communications partner. A plurality of different architectures are possible and known.
- In the case of communications standards such as PCI Express, the communications partners conventionally obtain direct access to storage means and arithmetic units of the data processing devices communicating therewith. This is also the case if overall apparatuses or the data processing systems thereof comprise security-critical parts which are intended to communicate with less safety-critical regions. For example, it is known in motor vehicles to consider driving and/or security system-related controllers as data processing devices, in particular also with respect to autonomous driving, to be rather security-critical data processing devices and which should therefore be associated with a security region, but which nonetheless are intended to communicate with data processing devices, in particular further controllers, assessed as less security-critical.
- However, providing a bidirectional connection that allows access to storage means and/or arithmetic units in the security-critical data processing device would allow data processing devices classed as less security-critical, as communications partners, to carry out manipulations within the security-critical data processing device, for example, if the less security-critical communications partner has been hacked or replaced and/or the communications data were manipulated during transmission via the communications connection.
- The simplest conceivable way for preventing an incentive of this kind would be that of providing only a monodirectional connection from the security region to the less security-critical communications partners. Although a solution of this kind would be secure, it is not realistic because assemblies without a feedback channel cannot be controlled/administered expediently. The replaceability of such an approach is therefore rather to be considered as restricted.
- In another approach, it would be conceivable to provide a highly restricted feedback channel from less security-critical communications partners to the security-critical data processing device which restricts the possibilities of attack on the security-critical side. For example, only actuation signals without any payload can be received. However, a limitation of this kind has to be implemented as separate hardware, which is laborious and significantly limits the functionality of the feedback channel.
- DE 10 2012 017 339 A1 relates to a computer system comprising at least two CPUs which each comprise a PCIe bus hierarchy, by means of which messages, which each comprise an origin address, a destination address, and a payload, can be transmitted between connected communications devices. The PCIe bus hierarchies are connected by a bridging means, such that messages can be exchanged between communications devices that are connected to different PCIe bus hierarchies, the computer system comprising at least one peripheral device having a communications device which can be used jointly by the CPUs, the bridging means comprising a translation means, which is designed for translating the destination address of messages that are transmitted from one PCIe bus hierarchy to another. In this context, it is also proposed to arrange observation devices, for monitoring the messages transmitted by the bridging means, between the bridging means and the PCIe hierarchies. In order to protect PCIe bus hierarchies that are connected to the bridging means, destination addresses and origin addresses can be evaluated, in order to reject messages if necessary.
- Thus, observation devices are provided there at central positions in the data processing systems, which devices are to be configured as a whole. This solution is complex and inflexible, in particular if the observation devices are also subject to configuration access of less security-critical data processing devices.
-
FIG. 1 shows a data processing device, in accordance with some embodiments. -
FIG. 2 shows an operating sequence of a method, in accordance with some embodiments. -
FIG. 3 shows a definition of security levels, in accordance with some embodiments. -
FIG. 4 shows a schematic sketch of a motor vehicle, in accordance with some embodiments. - The object of the present disclosure is therefore that of specifying a possibility for improved, more flexible, and more independent protection of data processing devices within a data processing system of an overall apparatus, in particular of a motor vehicle.
- In order to achieve this object, in some embodiments, a method is disclosed. The method includes receiving, at an interface unit of the data processing device, the communications data, using a filter means that is implemented as hardware at least in part, in accordance with configuration information that is specified on the side of the data processing device. The filter means contains at least one authorization condition that assesses at least one property of the payload contained in the communications data, and forwards only communications data that fulfill the at least one authorization condition from the interface unit to at least one further component of the data processing device.
- The present disclosure is therefore based on the concept of implementing a hardware-based firewall, in the form of a filter means, on the side of the receiving data processing device. The filter means is assessed as security-critical, or the data processing device located in a security region, in which firewall is implemented by an interface unit, for example, a PCIe controlling chip. In this case, the payload can comprise control commands acting on the at least one storage means, the filter means being applied at least to the control signals. However, the procedure described here can also be applied to other payloads in the communications data, since it can also be the case that other payloads can cause damage in the memory of a data processing device and/or in an arithmetic unit of a data processing device. Depending on the configuration information, the filter means can reduce the amount of the available payload, in particular control signals which are actually forwarded to the relevant components, i.e., in particular the storage means and/or arithmetic unit, to the amount that is necessary and ensures security. In this way, the attack surface is minimized by the communications connection, without having to omit a fully functional feedback channel.
- In some embodiments, the filter means is configured by the data processing device itself using a separate configuration channel within the data processing device, in particular proceeding from the arithmetic unit, and/or an existing configuration interface of the interface unit. Accordingly, the data processing device in a data processing system has control over the incoming messages and messages to be filtered out, via the communications connection. Thus, the present disclosure protects against incoming attacks and provides maximum autonomy to the data processing device as a subsystem instead of opening up access to an observation device centrally manipulating throughout data processing system.
- By means of non-limiting example, irrespective of whether portions of the data processing system are compromised, the data processing device can use its own firewall in the form of the filter means. There is no master device that could change the firewall configuration information, since only the data processing device itself can change the configuration. Furthermore, each data processing device can react to incoming attaches and reduce, or even entirely close, the communications connection by means of corresponding reconfiguration of the filter means.
- In some embodiments, the filter means can assess the content of the communications data, i.e., the payload. While the approaches known in the prior art can be referred to as “stateless packet inspection,” the present disclosure can be referred to as “stateful packet inspection.” Therefore, the content, in addition to the origin, the destination, and the communications path that the communications data have taken, is assessed. Accordingly, to directly access the payload, authorization criterion can access corresponding properties of the communications data contained in the header of packet-based communication. Therefore, forming the filter means in hardware at least in part, i.e., in particular integration in a chip that forms the interface unit, further restricts the possibilities of manipulation.
- In some embodiments, filtering the communications traffic within the data processing device itself, but outside of the arithmetic unit and the storage means, allows for strict separation in distributed systems of data processing devices. The filter means in the interface unit, i.e., in particular in an external chip, furthermore makes it possible to use more simple residual components, in particular arithmetic units, for example, CPUs, in security-critical data processing devices, which use the communications standard of the communications connection. Outsourcing the filter means in the interface unit thus reduces the complexity of the data processing device itself. The mechanism according to embodiments as described herein can also be used in multiplexed/demultiplexed communications connections. In particular, a bridging means that is used does not need to have any information about the filter processes.
- In some embodiments, a communications connection according to the PCI Express (PCIe) communications standard is used. A PCIe communications connection in principle represents a packet-based point-to-point connection, which as described at the outset, can also be used for a plurality of communications partners, by way of bridging means.
- In some embodiments, it may be possible for the filter means to be applied in a communications layer acting in accordance with a communications standard used in the communications connection for the physical transport of formatted communications data, in particular a transaction layer in PCI Express. In this manner, hardware-assisted filtering within the transaction layer is therefore possible. This means that the filtering can purposely be located as close as possible to the physical reception of the communications data, in order to minimize the influence thereof on the data processing device, in particular the storage means and/or the arithmetic unit. In the transaction layer, the data are still in the transmission format defined by the communications standard, here in particular PCI Express. If content, in particular payload, is intended to be accessed directly by means of at least one authorization condition, and the payload is encrypted, a filter means of this kind would be provided directly following suitable decryption means.
- In some embodiments, a filter means implemented as part of a microchip that forms the interface unit is used as the filter means. The filter means can thus be implemented in concrete terms by means of hardware, by modifying a corresponding interface unit microchip, and therefore be firmly integrated in the processing sequence, in terms of the hardware. This can in particular be a PCIe chip.
- In some embodiments, the filter means can preferably be configured exclusively by the data processing device itself, in particular exclusively, by the arithmetic unit. In this case, the arithmetic unit, for example, a CPU, thus preferably has exclusive configuration access to the filter means, which ensures the greatest possible autonomy and flexibility of the data processing device itself, according to which it is also possible, for example, to respond to attacks by means of the authorization conditions being made stricter or the communications connection being entirely deactivated.
- In some embodiments, at least one of the authorization conditions assessing at least one payload may check a minimum length and/or maximum length of a payload unit, a control command, a restriction of the function type of a control command described by the payload, and/or a restriction of the accessible memory region of the at least one storage means. Therefore, a restriction of the admissible payload in the communications data can be defined, initially for example by the length of a payload unit, which is intended to be written into a memory region of the storage means for example. It is thus possible to assume, for example, that the smaller a payload unit, for example, a control command, is, the less damage a malicious payload unit can do in the data processing device. It is also possible, in the communications standard and/or by means of a corresponding design of the filter means, to distinguish between different function types in the case of control commands described by the payload, for example, for said types to be classified in different manners, with the result that, according to a particularly preferred embodiment of the invention, an authorization condition excludes certain function types/function classes. This in turn excludes certain types of access, in particular to storage means, in the data processing device, for example write access, manipulation access and the like.
- In some embodiments, the memory region in which the payload of the communications data may be stored can be restricted. Due to the corresponding structure thereof, payloads/control commands frequently aim at the use of certain memory regions of storage means of the data processing device, which regions may be particularly relevant for the security-critical functionality of the data processing device, as a result of which such particularly security-critical regions can be excluded for example by an authorization condition. By way of non-limiting example, authorization conditions for all these criteria can be used, for example, for workaround solutions such as fragmentation of overall commands in the case of size restrictions and the like to be avoided.
- In some embodiments, in addition to the contents-related authorization conditions, further authorization conditions can be used, by means of which conditions a communication attribute describing the communications connection and/or the communications partner is evaluated. For example, in the case of the PCI Express communications standard it is known to identify the relevant communications partner within the communications information as well as the communications connection to said communications partner that is specifically used, if a plurality of communications connections are used. Thus, the filter means can provide restrictions.
- In some embodiments, the configuration information may describe a security level having associated authorization conditions and/or parameters of the authorization conditions. Therefore, specific predetermined configuration information can be used for different security levels, with the result that the corresponding security level can be adjusted to the filter means within the data processing device in a particularly simple manner, by means of configuration access. By way of non-limiting example, 16 security levels can be provided, which can thus be described, for example, by 2 bytes which relax restrictions for the communications data in a stepwise manner.
- The procedure according to various embodiments as described herein can be used in a data processing system of a motor vehicle. By way of non-limiting example, the data processing device forms a part of a motor vehicle, in particular a controller, and communicates with the at least one communications partner which is part of a data processing system of the motor vehicle. As already explained at the outset, modern motor vehicles are a specific example for complex data processing systems in which a wide variety of security levels or security regions can be defined, for example as more security-critical controllers (vehicle guidance, in particular fully automated vehicle guidance, security systems and the like), and less security-critical controllers (infotainment, etc.). In this case, a mechanism allows for high-speed communication, for example, via PCI Express, comprising a feedback channel, but which nonetheless prevents, as far as possible, possibilities of manipulation from less security-critical controllers.
- In some embodiments, a data processing device, in particular, a controller for a motor vehicle is disclosed. The data processing device comprises an interface element having a filter means, at least one storage means, and an arithmetic unit, and is designed to carry out the method according to the embodiments as described herein. In some embodiments, a motor vehicle comprising a data processing device according to embodiments as described in this disclosure is disclosed. All the disclosure with regard to the method according to various embodiments as described herein can be transferred analogously to the data processing device and the motor vehicle as described herein.
- Various embodiments are described in following with reference to the drawings.
-
FIG. 1 shows a data processing device, in accordance with some embodiments.FIG. 1 shows a schematic sketch of adata processing device 1 that comprises at least onearithmetic unit 2 and at least one storage means 3. Thedata processing device 1 may further comprise at least one of the at least one storage means 3 to be implemented within thearithmetic unit 2, which can also be designed as a CPU for example. By way of non-limiting example, thedata processing device 1 can be a controller of a motor vehicle. - In accordance with some embodiments, in order to be able to communicate with other data processing devices of the motor vehicle, for example further controllers and/or other data processing devices, for example display devices, communications connections are formed proceeding from the
data processing device 1. At least onecommunications connection 4 to acommunications partner 5 that is only indicated here uses the PCI Express communications standard (PCIe communications standard) for high-speed data transmission. Accordingly, oneinterface unit 6 of thedata processing device 1 is designed as a PCIe microchip. By way of non-limiting example, filter means 7 which, owing to configuration information, checks incoming communications data against various authorization conditions, is integrated, in terms of hardware, into saidinterface unit 6, i.e., provided in a manner fixed in the corresponding microchip, the payload contained in the communications data also actually being forwarded to the further components of thedata processing device 1, in this case thearithmetic unit 2 and the storage means 3, only if all the authorization conditions are fulfilled. Accordingly, at least one of the authorization conditions evaluates a property of the payload contained in the communications data, it being possible for further authorization conditions to also relate to thecommunications partner 5 and/or to thecommunications connection 4 itself. Thecommunications partner 5 can furthermore be both what is known as an end point and an interposed switching means, for example, a bridging means, a switch and/or a multiplexer/demultiplexer. - In accordance with some embodiments, the filter means 7 can be configured only from within the
data processing device 1, for example, by thearithmetic unit 2. By way of non-limiting example, a corresponding separate configuration channel can be provided for this purpose, but it is also possible to use a communications interface of theinterface unit 6 that is used in any case for configuration purposes. The configuration access is indicated by thearrow 8 inFIG. 1 . -
FIG. 2 shows an operating sequence of a method, in accordance with some embodiments.FIG. 2 explains in more detail the operating sequence of an embodiment of the method as can be implemented in thedata processing device 1. In this case, in a step S1 communications data comprising a payload and a header are received, in the present case as data packets. After passing through the physical layer and the datalink layer, the communications data reach the transaction layer, where the data packets (transaction layer packets—TLP) encounter the filter means 7. The corresponding filtering, i.e., checking all the authorization conditions for each incoming data packet, takes place in step S2. If it is found, in the process, that at least one of the authorization conditions is not fulfilled, the data packet is rejected in step S3, and the method returns to step S1 again for the next data packet. However, if all authorization conditions are fulfilled, in a step S4 the communications data are processed further, as usual, in theinterface unit 6, and forwarded to thefurther components data processing device 1. - In an optional step S5, it is possible to constantly monitor, within the
arithmetic unit 2, whether an attack is present or can be detected. Reconfiguration (arrow 8) of the filter means 7 can take place in a step S6, for example the authorization conditions can be made stricter or thecommunications connection 4 can be entirely deactivated. - In accordance with some embodiments, specific security levels having associated configuration information, which describes the authorization conditions, are defined as shown in greater detail in table 9 of
FIG. 3 . In this case, each line corresponds to a security level L1, L2, etc. In this case, P1-P10 are parameters of authorization conditions. In this case, P1 and P2 describe the admissible serial numbers of communications connections, and P3 and P4 describe admissible serial numbers of communications partners. P5-P10 relate to contents-related authorization conditions. P5 and P6 describe the range of admissible function types (function classes), P7 and P8 admissible memory regions of the at least one storage means 3 in which data may be written, and P9 and P10 the minimum length and maximum length of payload units. In this case, payload units can correspond to control commands, but other payloads can also be processed by the filter means 7. - By way of non-limiting example, security level L1 may not be associated with any restrictions in the communication, while security level L16 allows only signals on the first communications connection for the communications partner no. 16 and the first function class. The target memory region and the amount of data are likewise clearly defined and restricted.
- A suitable security level L1, L2, etc. can, as described, also be selected dynamically by means of the
arithmetic unit 2. -
FIG. 4 shows a schematic sketch of a motor vehicle, in accordance with some embodiments.FIG. 4 shows a schematic sketch of amotor vehicle 10 that comprises adata processing system 11 which comprises a plurality of data processing devices 1A, 1B and 1C according to the embodiments as described herein. Only three data processing devices are shown for reasons of simple illustration.Communications connections 4 ab, 4 ac, 4 bc exist in each case between thedata processing devices data processing devices data processing device data processing systems 11.
Claims (13)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102017214624.9 | 2017-08-22 | ||
DE102017214624.9A DE102017214624A1 (en) | 2017-08-22 | 2017-08-22 | Method for filtering communication data arriving via a communication connection in a data processing device, data processing device and motor vehicle |
PCT/EP2018/072629 WO2019038317A1 (en) | 2017-08-22 | 2018-08-22 | Method for filtering communication data arriving via a communication connection in a data processing device, data processing device and motor vehicle |
Publications (2)
Publication Number | Publication Date |
---|---|
US20200244624A1 true US20200244624A1 (en) | 2020-07-30 |
US11582189B2 US11582189B2 (en) | 2023-02-14 |
Family
ID=63312025
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/632,611 Active 2039-08-26 US11582189B2 (en) | 2017-08-22 | 2018-08-22 | Method for filtering communication data arriving via a communication connection, in a data processing device, data processing device and motor vehicle |
Country Status (5)
Country | Link |
---|---|
US (1) | US11582189B2 (en) |
EP (1) | EP3577568B1 (en) |
CN (1) | CN111033485B (en) |
DE (1) | DE102017214624A1 (en) |
WO (1) | WO2019038317A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3264648B1 (en) | 2010-06-17 | 2023-09-06 | Sun Patent Trust | Pre-coding method and transmitter |
EP3032769B1 (en) | 2010-06-17 | 2017-09-13 | Sun Patent Trust | Pre-coding method and transmitter |
DE102017221889B4 (en) | 2017-12-05 | 2022-03-17 | Audi Ag | Data processing device, overall device and method for operating a data processing device or overall device |
CN118227554A (en) * | 2022-12-20 | 2024-06-21 | 成都芯海创芯科技有限公司 | System on chip and car |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140032800A1 (en) * | 2012-07-30 | 2014-01-30 | GM Global Technology Operations LLC | Vehicle message filter |
US20200043251A1 (en) * | 2017-04-28 | 2020-02-06 | Continental Teves Ag & Co. Ohg | Data transfer device and method for transferring data for a vehicle |
US20220131834A1 (en) * | 2018-08-29 | 2022-04-28 | Volkswagen Aktiengesellschaft | Device, method and computer program for providing communication for a control appliance of a vehicle, method, central device and computer program for providing an update, control appliance, and vehicle |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100609170B1 (en) * | 2004-02-13 | 2006-08-02 | 엘지엔시스(주) | system of network security and working method thereof |
US7840763B2 (en) * | 2004-03-12 | 2010-11-23 | Sca Technica, Inc. | Methods and systems for achieving high assurance computing using low assurance operating systems and processes |
US20060136338A1 (en) | 2004-12-16 | 2006-06-22 | Intel Corporation | Techniques for filtering attempts to access component core logic |
US7694047B1 (en) | 2005-02-17 | 2010-04-06 | Qlogic, Corporation | Method and system for sharing input/output devices |
DE102005028663B4 (en) * | 2005-06-15 | 2024-10-24 | Volkswagen Ag | Method and device for securely communicating a component of a vehicle via a wireless communication connection with an external communication partner |
DE102005055419B3 (en) | 2005-11-21 | 2007-04-12 | Giesecke & Devrient Gmbh | Double interface device for use in communication network, has data transfer control for connecting portable data carriers over hardware connections, where each carrier comprises one of external hardware-interfaces and hardware connections |
KR101206542B1 (en) * | 2006-12-18 | 2012-11-30 | 주식회사 엘지씨엔에스 | Apparatus and method of securing network of supporting detection and interception of dynamic attack based hardware |
DE102012017339B4 (en) * | 2012-08-31 | 2014-12-24 | Airbus Defence and Space GmbH | computer system |
WO2014210215A1 (en) * | 2013-06-25 | 2014-12-31 | Fedex Corporation | Transport communication management |
EP2983088A1 (en) | 2014-08-06 | 2016-02-10 | Airbus Defence and Space GmbH | Memory protection unit |
-
2017
- 2017-08-22 DE DE102017214624.9A patent/DE102017214624A1/en active Pending
-
2018
- 2018-08-22 EP EP18758875.1A patent/EP3577568B1/en active Active
- 2018-08-22 US US16/632,611 patent/US11582189B2/en active Active
- 2018-08-22 WO PCT/EP2018/072629 patent/WO2019038317A1/en active Search and Examination
- 2018-08-22 CN CN201880052729.XA patent/CN111033485B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140032800A1 (en) * | 2012-07-30 | 2014-01-30 | GM Global Technology Operations LLC | Vehicle message filter |
US20200043251A1 (en) * | 2017-04-28 | 2020-02-06 | Continental Teves Ag & Co. Ohg | Data transfer device and method for transferring data for a vehicle |
US20220131834A1 (en) * | 2018-08-29 | 2022-04-28 | Volkswagen Aktiengesellschaft | Device, method and computer program for providing communication for a control appliance of a vehicle, method, central device and computer program for providing an update, control appliance, and vehicle |
Also Published As
Publication number | Publication date |
---|---|
DE102017214624A1 (en) | 2019-02-28 |
EP3577568A1 (en) | 2019-12-11 |
CN111033485A (en) | 2020-04-17 |
EP3577568B1 (en) | 2022-02-23 |
US11582189B2 (en) | 2023-02-14 |
CN111033485B (en) | 2023-09-26 |
WO2019038317A1 (en) | 2019-02-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11582189B2 (en) | Method for filtering communication data arriving via a communication connection, in a data processing device, data processing device and motor vehicle | |
US11651088B2 (en) | Protecting a vehicle bus using timing-based rules | |
US11314661B2 (en) | Hardware security for an electronic control unit | |
CN107710657B (en) | Method and device for real-time data security of a communication bus | |
CN111434089B (en) | Data processing device, assembly and method for operating a data processing device or assembly | |
KR20190032276A (en) | A specially programmed computer system having an associated device configured to implement a security lockdown and a method of using the same | |
US20160261561A1 (en) | One-way gateway, and vehicle network system and method for protecting network within vehicle using one-way gateway | |
CN110997442B (en) | Computing device for providing access control to hardware resources | |
JP6822832B2 (en) | Systems and methods for software communication | |
US12034771B2 (en) | Automotive gateway providing secure open platform for guest applications | |
US20150254461A1 (en) | Testing integrated independent levels of security components hosted on a virtualization platform | |
JP7160550B2 (en) | Multi-core architecture, interface card and method for processing data packets | |
US10958472B2 (en) | Direct access to bus signals in a motor vehicle | |
EP2983088A1 (en) | Memory protection unit | |
CN111694299B (en) | Communication system for vehicle | |
US20220318047A1 (en) | Device and method for managing communication via interfaces in a virtualized system | |
US20230267204A1 (en) | Mitigating a vehicle software manipulation | |
US20110010773A1 (en) | Hardware command filter matrix integrated circuit with restriced command enforcement capability |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: AUDI AG, GERMANY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:AHN, CHANGSUP;ZAWADZKI, KAMIL;KLEIN, MARKUS, DR.;AND OTHERS;SIGNING DATES FROM 20200110 TO 20200117;REEL/FRAME:051597/0630 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |